Hello All,<br><br>I am trying to get a servlet to download and check a CRL. The CRLDP is in the client's certificate and the CRL is marked "indirect CRL" so that it can be signed by a different key than the client cert issuer. The following block of code is invoked but the DistributionPointFetcher can't seem to build a valid path and a CRLException is thrown. My assumption was this would work if I included the CRL signing certificate in my truststore. What I find odd while stepping through this in a debugger is that the "certStores" object contains only the client certificate which is to be validated, so it makes sense that X509CertSelector doesn't find the right cert in there. <br>
<br>Has anyone got indirect CRLs validated before? I'd be interested in the details of a test setup that works. I can provide more details of my test setup if necessary.<br><br>Thanks, David<br><br><br> // Obtain and validate the certification path for the complete<br>
// CRL issuer (if indirect CRL). If a key usage extension is present<br> // in the CRL issuer's certificate, verify that the cRLSign bit is set.<br> if (indirectCRL) {<br> X509CertSelector certSel = new X509CertSelector();<br>
certSel.setSubject(crlIssuer.asX500Principal());<br> boolean[] crlSign = {false,false,false,false,false,false,true};<br> certSel.setKeyUsage(crlSign);<br> PKIXBuilderParameters params = null;<br>
try {<br> params = new PKIXBuilderParameters<br> (Collections.singleton(anchor), certSel);<br> } catch (InvalidAlgorithmParameterException iape) {<br> throw new CRLException(iape);<br>
}<br> params.setCertStores(certStores);<br> params.setSigProvider(provider);<br> try {<br> CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");<br>
PKIXCertPathBuilderResult result =<br> (PKIXCertPathBuilderResult) builder.build(params);<br> prevKey = result.getPublicKey();<br> } catch (Exception e) {<br> throw new CRLException(e);<br>
}<br> }<br>